Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. Multiple instances of COSI attacks have been found in the past under different names such as login detection or access detection attacks. But, those attacks only consider two states (e.g., logged in or not) and focus on a specific browser leak method (or XS-Leak). This work shows that mounting more complex COSI attacks such as deanonymizing the owner of an account, determining if the victim owns sensitive content, and determining the victim's account type often requires considering more than two states. Furthermore, robust attacks require supporting a variety of browsers since the victim's browser cannot be predicted apriori. To address these issues, we present a novel approach to identify and build complex COSI attacks that differentiate more than two states and support multiple browsers by combining multiple attack vectors, possibly using different XS-Leaks. To enable our approach, we introduce the concept of a COSI attack class. We propose two novel techniques to generalize existing COSI attack instances into COSI attack classes and to discover new COSI attack classes. We systematically apply our techniques to existing attacks, identifying 40 COSI attack classes. As part of this process, we discover a novel XS-Leak based on window.postMessage. We implement our approach into Basta-COSI, a tool to find COSI attacks in a target web site. We apply Basta-COSI to test four stand-alone web applications and 58 popular web sites, finding COSI attacks against each of them.

[1]  Helen J. Wang,et al.  Lightweight server support for browser-based CSRF protection , 2013, WWW.

[2]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[3]  Mike West,et al.  Incrementally Better Cookies , 2020 .

[4]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[5]  Davide Balzarotti,et al.  BakingTimer: privacy analysis of server-side request processing time , 2019, ACSAC.

[6]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[7]  Matthew A. Jaro,et al.  Advances in Record-Linkage Methodology as Applied to Matching the 1985 Census of Tampa, Florida , 1989 .

[8]  Michael Pradel,et al.  Leaky Images: Targeted Privacy Attacks in the Web , 2019, USENIX Security Symposium.

[9]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Jong Kim,et al.  Identifying Cross-origin Resource Status Using Application Cache , 2015, NDSS.

[11]  Shravan Narayan,et al.  Browser history re: visited , 2018, WOOT @ USENIX Security Symposium.

[12]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[13]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[14]  Wouter Joosen,et al.  Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies , 2018, USENIX Security Symposium.

[15]  Claude Castelluccia,et al.  To Extend or not to Extend: On the Uniqueness of Browser Extensions and Web Logins , 2018, WPES@CCS.

[16]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[17]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[18]  Zhan Wang,et al.  Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure , 2016, AsiaCCS.

[19]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.

[20]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[21]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[22]  Claude Castelluccia,et al.  On the uniqueness of Web browsing history patterns , 2014, Ann. des Télécommunications.

[23]  Mark Goodwin,et al.  Same-site Cookies , 2016 .

[24]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[25]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[26]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[27]  Nick Feamster,et al.  Web-based Attacks to Discover and Control Local IoT Devices , 2018, IoT S&P@SIGCOMM.

[28]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[29]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Michael Backes,et al.  How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security , 2017, USENIX Security Symposium.